Slashdot Mirror
Top E-commerce Sites Fail To Protect Users From Stupid Passwords
Martin S. writes "The Register reports that 'Top UK e-commerce sites including Amazon, Tesco and Virgin Atlantic are not doing enough to safeguard users from their own password-related foibles, according to a new study by Dashlane ... 66% accept notoriously weak passwords such as '123456' or 'password,' putting users in danger as these are often the first passwords hackers use when trying to breach accounts. ... 66% make no attempt to block entry after 10 incorrect password entries (including Amazon UK, Next, Tesco and New Look). This simple policy prevents hackers from using malicious software that can run thousands of passwords during log-ins to breach accounts.'"
xkcd has some insight about why this is bad for users generally, not just on any sites that happen to get compromised. Rules that require ever more complexity in passwords, though, probably backfire quite a bit, too.
From pointing the gun at their face.
Funny, I got my password from xkcd. UNCRACKABLE
Gamingmuseum.com: Give your 3D accelerator a rest.
Yesterday I was on a Ticketmaster signup form and they listed the following "requirements" for a password:
"(Must be between 1 to 250 characters. Alpha numeric only, case sensitive.)"
My bank, even the company I work for, have arbitrary length limits for passwords. I can not fathom why unless the password is stored unencrypted :/
I'm not that great with using a different password for every single account I have online, but my bank account password is vastly different from anything else.
it's a lot harder to actually steal money online then people think.
never bring a twinkie to a food fight.
users dont like registration dialogs. Enforcing good passwords will make users stop the registration process and go away. And a compromised user account is the users problem, not the companies. That is current management thinking.
Vendor of X does a study showing that people would be safer using X.
I tried recently to change my banking password to something much longer, only to find there's a limit of just 14 characters. None of the several bank staff I asked about it could tell me why that is.
https://www.youtube.com/watch?v=jQ7DBG3ISRY
"With patience a ruler may be persuaded, and a soft tongue will break a bone."
1, 2, 3, 4, 5? That's amazing! I've got the same combination on my luggage! [Sandurz and Darth Helmet look at each other in horror]
I love how the submitter headed us off.
... not complexity. Did nobody read the Slashdot article from a few weeks ago about that?
Joseph, P. Parrot Smuggler is being an idiot, using simple passwords online....
lets blame someone else for his stupidity!!!!
Sigh. My obvious password detector, published in 1984:
The algorithm used requires that the length of the password be within configurable length limits, and that the password not have triplet statistics similar to those associated with words in the English language. This is an inversion of a technique used to find spelling errors without a full dictionary. No word in the UNIX spelling dictionary will pass this algorithm.
Users should be advised to pick a password composed of random letters and numbers. Eight randomly chosen letters will pass the algorithm over 95% of the time. A word prefaced by a digit will not pass the algorithm, although a word with a digit in the middle usually will. Two words run together will often pass.
(The code linked is the original version in pre-ANSI C. Yes, kiddies, that's what C code once looked like.)
2) A bunch of sites that have legitimate needs for passwords but do NOT need 'secure' passwords. Slashdot is a great example - we need to confirm who you are but if someone steals your Slashdot password it is not a big deal. So they use your identity to Praise Senator Cruz, and destroy your reputation, no big deal. Let people use 4 character passwords - just like for your ATM card.
3) Websites with a real need for secure passwords - 'primary' email accounts, credit card accounts, etc. They could easily use stream ciphers - little electronic devices that constantly update the password. You have 1 minute to enter the password before it changes. Or if you prefer anonymity for your email account a downloaded program that resides on the PC you use to establish the email account and to log in, you must use that PC (with a 'move my account' program that must be initiated from that PC). Of course that limits your functionality, but at least it gives you anonymity.
excitingthingstodo.blogspot.com
Yes, because I'm going to be so traumatized when I lose my Red Robin login that has my low security password...
My trick to passwords? Song lyrics. Easy to remember and usually long. Now my main problem is explaining how to spell 'Ipanema', and what's so special about the girl there.
When you use the above merchants to pay, only the money is transferred and no re-usable billing information like credit card info is sent to the recipient of the funds. So when doing ecommerce you don't have to put your CC# everywhere on the internet then wonder why you've got credit card fraud.
In some cases you can set up or are forced to automatic authorization from PayPal, but you can revoke that immediately. PayPal really is the safest way to pay. No comment on the rest of PayPal's operations though (disputes and seizures).
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
I think the right strategy for websites which have to do user registration is to just provide the user with a random password of sufficient length as to be near impossible to type correctly, much less remember, and don't even provide the functionality for users to select their own. This almost insures that the password won't be used elsewhere, it enforces password quality, and it encourages the use of a good password manager.
I'm starting to have problems with differing rules at different sites.
I.e. one REQUIRES a special character. Another disallows special characters.
One has a maximum length of 8 (crazy short) while others have a minimum length of 8 characters.
And all of them won't let you reuse a recent password so if you can't remember the password, then your new password can't follow your own password rule set.
It's reached a point that now i have a sticky pad with coded passwords written down.
Netflix has been a pain because it's non-standard as a result of resets and you need to reenter the password on every device (and I'm up to five now).
So when I have to reset the password, I have to reset the password on all my devices. And on some the password screen only comes up when it checks the password- which isn't apparently every time you use the device. I guess they get a token that's good for a month or more.
She was like chocolate when she drank... semi-sweet at first and then increasingly bitter.
The blurb has the wrong xkcd article, this is much better: http://xkcd.com/936/
shilling for companies under the guise of 'news.'
Let's see, the 'article' is a blog post by an author at Dashlane and the last paragraph in the 'article' is...
The easiest way to create and remember strong passwords is with a password manager, like Dashlane , which generates unique passwords for you, saves them to your account, and autofills them online. Your data is protected with world-class security and encryption, and is only accessible to you. Learn more, and get it free at here.
Really!?! Hopefully you're getting paid for this promotional ad ;)
Developers should protect the password from brute force cracking by putting a time delay after successive failed login attempts. It doesn't really matter how strong your password is, if the system allow unlimited login attempts then it's possible to crack using something like CloudCracker.
" 66% make no attempt to block entry after 10 incorrect password entries ... "
And the other 34% have hundreds of customer service calls from people whose accounts have been locked out.
My e-mail address is not a secret. I wouldn't mind being notified about failed logins, but please don't lock me out.
Also, maybe you feel your site is ultra-super-important, but I personally don't give many fucks about 99% of my logins. Before tech, people were identified based on looks, mannerisms, tone of voice, character, everything which identified them as /them/. I don't think that, following millions of years of evolution to make us the complex social animals that we are, humans are about to accept that "knowing a password" should be any sort of necessary or sufficient means of identifying a person.
That means that they're probably storing them in a database where the field is set to 14 characters. Possibly in plain text.
If they were hashing them (with or without a salt) then they wouldn't care if your password was larger. As long as it still fit into the buffer they've assigned to it. Because the hash of a 1 character password should be the same length as the hash of a 256 character password.
Be worried about that bank's security.
In addition to just listing their password requirements, sites could provide a link or bubble help to a method of creating a "good" password. I like:
1) Pick a short phrase (e.g., "See Spot run.") but that connects to the site to provide some mneumonic value (so "See Spot hurl." might be for your vet).
2) Do some simple letter to number, symbol or punctuation substitutions (e.g., "S33 Sp0+ hurl.").
3) If you wish, squish out the blanks between words (e.g., S33Sp0+hurl.).
So we now have an easy to remember, eleven character password that includes upper and lower case letters, numbers, a symbol and punctuation.
Cheers,
Dave
They that can give up essential liberty to obtain a little temporary safety deserve neither safety nor liberty.
Ben
A salted hash of the user's password is fine for authenticating the user to your own service. But it doesn't help when your service needs to authenticate to another service to perform actions on that user's behalf. Say a server running service A uses service B on behalf of users of service B. In order to do this, service A needs to store a credential for each user of service B. How should service A protect these credentials from an intruder?
I mean, I run into websites that declared themselves so important that the password HAD to be complex [but] all the site had were software downloads.
Might it have been to keep an intruder from pretending to be you and redownloading the software you paid for? Or maybe I guess my mind got clouded by today's story about Steam...
How should a web site determine whether a given password is "notoriously weak"?
Where does "10" come from, and how long should entry be blocked? We don't want customers to become ex-customers when they discover that they have to make international telephone calls at a dollar per minute or more to get their accounts unblocked.
One site I manage uses the following, with a link to Wikipedia's page about password strength and xkcd's comic about passphrases: "Either 8 or more characters using at least one letter and one digit or a phrase of 16 or more characters using at least one letter, and not easy to guess"
I don't know how it's possible to "display a password meter" to users of NoScript.
Me: Additional Information: password "Must be between six and ten characters in length"
Why does Tesco have such a silly limit???? Please consider increasing the max length of the password!
I am sorry that you are unhappy with the length of password you can use to register on our website. I have now logged your comments on our Customer Feedback System under reference 13782619. This will ensure that it is fed back to the relevant team in our Head Office.
That was back in 2012
I wouldn't want anything to do with trying to monitor my user's passwords. If I make rules for what makes a good password vs a bad one, and they get hacked, I'm now partially liable ("I followed your rules! this is your fault")
What this really is about is an incessant lobby geared at "banning" passwords in favour of whatever is the latest fad this week, invariably involving something getting sold or some service getting way more access than it should, ie, it's another blatant round of ploy at productizing people yet again.
And the problem they're trying to solve? Can't really be solved that way. Worse, it's [b]not their job[/b] to even try. This sort of access management is the users' own responsibility, and [i]one size does not fit all[/i]. For example, the first people that get shut out are the ones that already using different and hard-to-guess passwords everywhere, say managed by a password manager under their control. Thus, to make sure "no user gets left behind", the ones at the front get held back and pushed into models they have no need for. Something that the companies with a password replacement agenda never want to hear. How curious.
We sell software that has an accompanying account for users to download data feeds and related updates. We do not let users pick their own passwords. We give the user a randomly-generated password that he/she has to use.
There are two major benefits: If we get hacked and all the credentials are stolen, the passwords (with overwhelming probability) will not be usable on any other sites, so our users are safe. Conversely, if another web site used by our users is hacked, then (with overwhelming probability) those credentials will not work on our site.
Yes, it's a little inconvenient for our users. We tell them to write down the password on a piece of paper and keep it in their wallet.
Apple, among many, many other services, says that after a certain number of failed attempts, your account is locked and you have to reset your password to regain access.
This seems stupid to me because if the password kept someone out after X failed attempts it must be strong enough. So why force a new one?
Experiment: force enough password resets on a user's account until they've run out of strong passwords, then use "password" to get in. Profit!
Of my 61 documented online accounts, 31 REQUIRE the use of my email address as my account name. When any of the 31 have a data breech, the rest are at far higher risk then would they would be otherwise because the bad guys now have a probably active email address to try a list of common passwords against all of the sites that require email addresses for login ids. Online retailers seem to be the worst, followed by on-line game accounts.
Let's think about this again... if you think there ought to be a law, there probably oughtn't.
More sites should fail to protect me from using a "stupid" 30-letter-or-whatever-long passphrase just because its algorithm thinks that it's "weak" because it doesn't have 2 numbers and two special characters (but only choose from these 3 specific special characters, because we don't know how to protect against sql injection otherwise!) Let me pick my own frelling password.
Ok, so it probably makes sense to specifically bar users from using completely butt-tarded passwords like "123" and "password", but only those specifically.
... job admission forms fail to protected candidates to burn themselves by bad grammar.
(thanks god Slashdot fails too, as some of you can easily note by my already traditional bad grammar)
Lisias@Earth.SolarSystem.OrionArm.MilkyWay.Local.Virgo.Universe.org
The bank I used to be with before I recently switched upgraded their security a few months ago. Prior to the upgrade, they actually limited passwords to 10 characters maximum. Thankfully, both this bank after the security upgrade and my current bank don't have any such maximums and I can use a longer password. (and no, the security stuff wasn't why I switched, I switched because I moved to a new area where my old bank didn't have any branches)
Any web site that limits the maximum amount of characters in this way is stupid, as is any web site that makes passwords case-insensitive or doesn't allow numbers or symbols)
Actual security that will protect people from themselves, costs a lot more than compensating the 2% of that 66% who actually get hacked. Person gets hacked for his own stupidity, company may or may not need to compensate the victim. lets say this amount comes to $100 per 1,000 users as a high estimate pulled out of my ass. Company B uses real security, that somehow completely eliminates fraud, blocks users out after 3 wrong passwords, and requires really complex passwords. Users keep forgetting their passwords, support is now overwhelmed, company pays $400 per 1,000 customers on support.
...stupid parents found not to be doing enough to prevent birth of stupid children
I don't think you have thought your plan all the way through.
Didn't realize it was their job to be a nanny to their users. And here I thought they had to be over 18 and of legal age to "sign" the EULA.
A lot of sites have the same userID and a password like "xyz123". OMG you hacked into my free pandora / whatever site that I don't care about? Yawn, I guess I'll just create another account.
Now ones with my CCs and other more more important info? They all have much harder credentials and unique passwords.
(Yes, I can read. "These are Top Sites we're working with. Which ones? Top. Sites.") Still not my problem. Maybe the users actually want their account attacked so they can get free CC account monitoring? Or can plead bankruptcy easier somehow? Hell, maybe it's a detection canary sponsored by your regional government or police officials. Just because it's weak doesn't mean it's bad, maybe the users have memory loss and can only remember a single letter.
That's RIGHT, you're now actively arguing for discriminating against intelligence-impaired people, people who can't touch-type, and people (executives) that are much too important and busy to bother typing a complex password. Government standards will soon mandate a minimum password of 0 characters with a maximum of 9 in order to preserve the impending world-wide bit crisis. The more characters you use now, the less that remain for everyone one. Larger font letters that require more digital ink to store will soon increase in price -- soon only the 1% will be able to afford them, so BUY NOW!
If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
PayPal: correct infrastructure, but company run by crooks. Quite unfortunate.
Several years ago, I used to work for a now defunct online web site company that provided websites to customers. Customers were required to activate their site and sign in to a site management web page. Although the password policy was not as sophisticated as it should have been, we did require password to be between 6 and 16 characters.
We received an email from one customer who was helping a new customer activate and sign up for the web management page. The new customer liked to pick passwords based on a mild shock value and wanted to use "Penis" as his password. The customer wanted us to know that they almost died laughing when the web page responded back with the message:
"Password rejected. Not long enough. Please try another."
Remember, password length is important. Choose your length wisely.
Great civilizations have lived and died on false theories. Don't mess up mine with a few facts.
Blip.
Personally, I love password rules.
The more complex the rules, the smaller my brute force search space, since I can just not look for passwords which don't meet the rules.
That's not even vaguely related to what CloudCracker does, which suggests to me that you haven't a clue what you're talking about.
This suggestion is reinforced by the fact that you recommend adding a "feature" which will allow me to prevent you from logging into any website I want, for near-arbitrary values of "you". There are right ways to do anti-brute-forcing protections on a password. Time delays (on remotely accessible unauthenticated login pages) are almost never the right option.
Much better is to automatically initiate a password reset for the affected user, where practical. Where not-so-practical, require a high-quality CAPTCHA after more than, on, three failed attempts. The first approach makes brute-forcing practically impossible unless you have control over the password reset mechanism (in which case you would just have triggered that yourself, then completed the process on behalf of the victim). Worth noting here that the site needs to log the user in directly as part of the password reset (rather than just bouncing them back to the login page) since the attacker can force another reset almost instantly. The second approach slows down brute-forcing without making it too hard for the user, and makes *automated* brute-forcing nearly impossible.
There's no place I could be, since I've found Serenity...
Wow, you're trying (and I appreciate that) but you really need to think this through a lot harder!
1) Password "guessing" isn't done by a human who will get bored. It's automated, and *extremely* fast. Let's say I can submit 10 password attempts per second (practically speaking, even a shitty home connection can probably manage closer to 50; a botnet could manage tens of thousands easily if the login server is up to it). Just because your password isn't in the 10 most commonly used ones doesn't mean it isn't in the 600 most commonly used ones. Oh no, instead of one second, it took my automated proxy a full minute to break into your account! As if that's a meaningful delay for a targeted attack...
2) How the heck is the user going to "run out" of strong passwords? I mean, even if the site prohibits re-using the old password after a reset, there are a quite literally infinite number of possible passwords. I'll grant that if you kept this attack up until the heat death of the universe, it would eventually reach the point where my "password" might need to longer than a typical sentence in English, but whoop-de-do. You could keep this kind of attack up all year without running the user out of dictionary words, so long as they aren't logging in 20 times a day! You couldn't run somebody out of pairs of such words in a natural human lifetime. That's ignoring case, and using the stupidest possible password generation scheme (choose the next word [pair] from the dictionary). A decent password scheme would be vastly more secure.
3) This user notes that somebody is *constantly* trying to brute force their password. Let's say you've managed to keep it up for months without getting your IP blocked or getting arrested under the CFAA or some such thing. The target of the attack has run through dozens of passwords. Why the hell would they decide to use a really weak one (knowing there's a constant attack going on) for their next one? Wouldn't it make a lot more sense at that point to hammer on the keyboard for five seconds when asked to create their password, knowing full well they will need to reset it next time they want to log in anyhow, due to that asshole wasting their time forcing resets constantly?
Yeah, you *really* didn't think about that one very hard, did you?
There's no place I could be, since I've found Serenity...
they shouldn't. it's not their business. if I use 12345 as my password it's my problem not yours.
There is nothing more I hate than websites that made me adhere to their arbitrary password security rules. The more hoops you make me jump through, the harder the password is to remember, and the dumber the password I pick (in the hopes of making it easier to remember).
Please, leave me alone.
"PayPal: correct infrastructure, but company run by crooks. Quite unfortunate."
Paypal, a Whatsapp like company. Over 100 Million customers but only 50 employees.
1 of them doing the complaints.
Blocking access after failed passwords just invites denial of service attacks. It seems like a bad idea for most situations.
Thought it through just fine, thank you. My plan to take over the world was a jest. My complaint about requiring a password reset after X number of tries is 100% valid. Let's walk this through:
1) Bot hits my account 10 times. Account is locked. Victory! Bot doesn't get in.
2) Eventually, I request that the account get unlocked. Company has two choices:
i. Unlock the account and let me go about my business, secure in the knowledge that I have a password that can't be guessed in 10 tries.
ii. Force me to choose another password according to whatever arbitrary rules Company has in place.
Option ii makes no sense to me. The bot may, or may not, have been hammering at my (locked) account all this time. So what? It's not like anything out there is keeping track of the 10 tries that failed, and will continue from there once I get around to asking Company to unlock the account.
Option i makes sense, and is user-friendly. Option ii makes no sense and is user-hostile, not to mention lazy because it shows that Company prefers the illusion of security than actually thinking it through.
Please, show me where I'm wrong. It's Slashdot, that's practically a hobby here.
Repeat after me.
The problem IS NOT PASSWORDS. Fighting for "better passwords" is a never-ending, stupid, foolish waste of time.
What is the point of a password? It is to prove who you are. Nothing more, nothing less. A password is not used as a key to look up information for a retailer, or blog, or anything else - that is keyed off your user name. All a password is is an identifier showing WHO YOU ARE.
It is unrealistic to expect a human to remember dozens of complex passwords and change them monthly. It is also unrealistic to preach "password managers" as a solution because they don't work in all situations and on the go.
So then, why is it then that I need a username and password FOR EVERY OF Amazon, Tesco, Virgin, and every other company listed in the OP, and Facebook, and Yahoo, and Google, and Slashdot, and every other site? Why can't I just have ONE complex, known, secure identification mechanism?
And even more pointedly - WHY IS IT that the technology ALREADY EXISTS to answer every point I raised - namely, the combination OpenID and OAuth - to solve this problem?
If every webmaster would stop thinking they live in their own universe, and SIMPLY STOP storing their own passwords and instead REQUIRE AND ONLY SUPPORT OpenID and OAuth authentication, this whole problem would be nearly entirely eliminated from the internet. People would have ONLY ONE password to remember, for all sites. They could be FORCED to change it monthly, and it would not be a huge burden since it is their ONLY password.
But no, every site in existence thinks they are THE ONE and should be able to exist in their own walled garden independent of everyone else.
but wouldn't creating an account (in the online banking sense, not a bank account) require a visit to the branch in person?
I opened accounts with Ally (a bank) and PayPal (not technically a bank but they act like one) while living in Fort Wayne, Indiana. Ally and PayPal have no branches there.
Money transfers use IBANs or a similar system of account numbers, which are separate from login usernames.
A PayPal user sends money to another PayPal username, which is an e-mail address. Chase is starting a similar system called Chase QuickPay.
It's not your job nor the governments role to protect stupid people from themselves. If that were true, most people wouldn't have a cell phone nor an automobile.
My problem is this: too many sites don't even publish their password policies, so I can't even begin to tell what is an acceptable password. I may go to the trouble to use mixed case, only to find out that their password is case-insensitive. Or they may accept a long password but silently truncate it. Or they may not accept special characters, but "tell" me only with an error message when I try one. Or sites that turn right around and *send* me my new password so I won't forget it (again, without telling me ahead of time). Or this beaut from Verizon Wireless: to enter your billing password (a secondary password that you can't change if you forget even if you know your primary password there), if you have to on your phone, you convert its mixed-case letters via the phone's keys. The prompt (long after you've created your password) says that the password "abc2" is the same as "2222". In essence, they reduce everything to digits.
This is a completely new twist on "security by obscurity". Your password is defined under double secret probation.
At least most sites are now accepting greater than 8 characters. But even that took years.
There shouldn't be any reason why a website where I go willingly to spend my money would not take it without first applying me a third grade with all kind of irrelevant data, and that includes password rules, secret questions, phone numbers, second verification email, and dancing naked on one leg. Seriously. For a one time transaction all is needed is a credit card number and a delivery address. Period. The passwords rules are becoming as idiotic as airport controls.
I went into my bank recently and got the hard sell about switching to internet banking.
This is something I've resisted, but I was told it was "quite safe" and "millions of people do it".
They had a so-called free cash-back offer on the debit card. I looked at the sign-up process and was told by the counter staff it needed a password of 6-8 characters - case insensitive and letters/numbers only.
For some reason they were surprised when I informed them that this was incredibly weak password scheme and that I wanted nothing to do with it.
Needless to say, I'm still refusing to sign up for any internet based banking and automated money transfers.
My new password is going to be "nanny".
Please don't copy it - thank you.
n/t
/. -- the Free Republic of technology.
and a silly suggestion.
How many bits of entropy are you actually producing? If you don't know, go to the back of the class.
/. -- the Free Republic of technology.
Because, of course, it is so much better to sell your users to some social network and let them control how you run your site or business?
Webmasters do live in and manage their own universes, to the extent that they want to. What next, you're going to complain I have a door on my house or on my bathroom? Go away, you're creepy.
/. -- the Free Republic of technology.
1) to control access to data the user cares about
2) to externalize the costs of controlling access to data the company cares about onto the user
123456, password, etc. are perfectly valid and rational user responses to the latter situation.
/. -- the Free Republic of technology.
I locked myself out of a CapOne CC account the other day - my own fault for using an old pw/secret question&answer database - and the person who unlocked my account and reset every secret question and answer actually advised me that when resetting my five secret questions and answers that I shouldn't care about the questions and to just give the same answer to every one.
Sometimes I cry in my sleep. :(
Facebook Google Twitter Yahoo all provide them already. So does ident.ca and OpenID.ogr and DOZENS of others. And if you wear a tinfoil hat 24*7 then you can run your own trivially. And finally, your ISP should provide one with your account as well.